Home » Cisco Manuals » Hubs & Switches » Cisco DS-C9216I-K9 » Manual Viewer

Cisco DS-C9216I-K9 Switch Guide - Page 223

Configuring Passwords for Other Devices, Configuring the DHCHAP Timeout Value, Default Fabric

Add to My Manuals
Save this manual to your list of manuals

Page 223 highlights

Chapter 19 Configuring Fabric Security Configuring Passwords for Other Devices • Approach 2-Use a different password for each switch and maintain that password list in each switch in the fabric--when you add a new switch, you create a new password list and update all switches with the new list. Accessing one switch yields the password list for all switches in that fabric. • Approach 3-Use different passwords for different switches in the fabric--when you add a new switch, multiple new passwords corresponding to each switch in the fabric must be generated and configured in each switch. Even if one switch is compromised, the password of other switches are still protected. This approach requires considerable password maintenance by the user. We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to use local password database, you can continue to do so using Approach 3 and using the Cisco MDS 9000 Family Fabric Manager to manage the password database. Refer to the Cisco MDS 9000 Family Fabric Manager User Guide for further information. All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted. Configuring Passwords for Other Devices You can configure passwords in the local authentication database for other devices in a fabric. The other devices are identified by their device name, which is also know as the switch WWN or device WWN. The password is restricted to 64 characters and can be specified in clear text (0) or in encrypted text (7). The switch WWN identifies the physical switch. This WWN is used to authenticate the switch and is different from the VSAN node WWN. Configuring the DHCHAP Timeout Value During the DHCHAP protocol exchange if the MDS switch does not receive the expected DHCHAP message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no authentication is performed) to 1000 seconds. The default is 30 seconds. When changing the timeout value consider the following factors: • The existing RADIUS and TACACS+ timeout values. • The same value must also be configured all switches in the fabric. Default Fabric Security Settings Table 19-2 lists the default settings for all fabric security features in any switch. Table 19-2 Default Fabric Security Settings Parameters DHCHAP feature DHCHAP hash algorithm DHCHAP authentication mode Default Disabled. A priority list of MD-5 followed by SHA-1 for DHCHAP authentication auto-passive. OL-7753-01 Cisco MDS 9000 Fabric Manager Switch Configuration Guide 19-5

Section	Page
Contents	3
Preface	27
Audience	27
Organization	27
Conventions	30
Obtaining Documentation	31
Cisco.com	31
Documentation DVD	31
Ordering Documentation	31
Documentation Feedback	32
Cisco Product Security Overview	32
Reporting Security Problems in Cisco Products	32
Obtaining Technical Assistance	33
Cisco Technical Support Website	33
Submitting a Service Request	33
Definitions of Service Request Severity	34
Obtaining Additional Publications and Information	34
New and Changed Information	37
Product Overview	43
Hardware Overview	43
Cisco MDS 9216 Fabric Switch	44
Cisco MDS 9500 Modular Directors	44
Cisco MDS 9100 Series Fixed Configuration Fabric Switches	45
Software Features	46
Licensing	46
High Availability	46
Switch Reliability	46
Virtual SANs	47
Intelligent Zoning	47
Inter-VSAN Routing	47
Trunking	48
PortChannels	48
IP Services	48
IP Storage	49
Call Home	49
QoS and Congestion Control	49
SPAN and RSPAN	50
Switch Management Features	50
Redundant Supervisor Module Management	50
Fabric Management	51
Security Management	51
Tools for Software Configuration	52
CLI	52
Cisco MDS 9000 Fabric Manager	53
Getting Started with Cisco Fabric Manager	55
Managing Cisco MDS 9000 Switches	56
Storage Management Solutions Architecture	57
In-Band Management and Out-of-Band Management	58
MGMT0	58
IPFC	58
Installing the Applications	59
Launching the Applications	60
Using the Management Services Wizard	61
A Note on Ports	61
Overview of Fabric Manager	63
Launching Cisco Fabric Manager	63
Using Fabric Manager	64
Menu Bar, Toolbars, and Status Bar	65
Logical/Physical Pane	65
Information Pane	66
Map Pane	66
Discovering and Viewing the Network Fabric	69
Controlling Administrator Access with Users and Roles	69
Modifying Device Grouping	69
Setting Fabric Manager Preferences	70
Viewing Reports in Fabric Manager	71
Using Device Manager	72
Launching Device Manager from Fabric Manager	72
Using Summary View	73
Comparing Device Manager to Fabric Manager	74
Performing Device Management	75
Managing Ports	75
Setting Device Manager Preferences	76
Using Performance Manager	76
Performance Manager Architecture	76
Creating a PM Configuration File	76
Collecting the Data	77
Presenting the Collected Data	77
Exporting and Importing Data	78
Integration with Cisco Traffic Analyzer	78
Configuring PM for Use with Cisco Traffic Analyzer	78
Stopping Data Collection	81
Exporting Data Collection to XML Files	81
Removing Data Collection Files from the List	81
Before You Begin	83
About Flash Devices	83
Internal bootflash:	84
External CompactFlash (Slot0)	84
Switch Roles	84
Using Valid Formats and Ranges	84
Obtaining and Installing Licenses	89
License Terminology	89
Licensing Model	90
Licensing High Availability	92
Options to Install a License	92
Obtaining a Factory-Installed License	92
Performing a Manual Installation	93
Obtaining License Key Files	93
Installing Licenses	94
Installing Licenses Using Fabric Manager License Wizard	94
Installing Licenses Using Device Manager	96
Viewing License Information in Fabric Manager	96
Viewing License Information in Device Manager	97
Removing Licenses	97
Updating Licenses	98
License Expiry Alerts	98
Moving Licenses Between Switches	99
Initial Configuration	101
NTP Configuration	101
NTP Configuration Guidelines	102
Display General NTP Statistics for a Switch	103
Create an NTP Server or Peer	103
Edit an NTP Server or Peer Configuration	104
Delete an NTP Server or Peer	104
Configuring High Availability	105
About High Availability	105
Switchover Mechanisms	106
HA Switchover	106
Process Restartability	106
Synchronizing Supervisor Modules	106
HA Redundancy States	106
Software Images	109
About Software Images	109
Essential Upgrade Prerequisites	110
Using the Software Install Wizard	111
Maintaining Supervisor Modules	112
Standby Supervisor Boot Variable Version	112
Standby Supervisor Boot Alert	113
Replacing Modules	113
Recovering a Corrupted Bootflash	113
Default Factory Settings	113
Managing Modules	115
About Modules	115
Supervisor Modules	115
Switching Modules	116
Viewing the State of a Module	116
Identifying Module LEDs	117
Configuring EPLDs	119
Default Supervisor Module Settings	120
Managing System Hardware	121
Configuring Power Supplies	121
Guidelines for Power Supplies with Different Capacities	121
Guidelines for Power Supplies with Different Capacities	123
Managing Power Supplies	124
Displaying Module Temperature	125
Monitoring Fan Modules	126
Monitoring Clock Modules	126
Viewing System Attributes	126
Viewing Running Processes	126
Viewing Flash File Information	127
Managing Inventory Information	127
Managing Module Attributes	127
Configuring and Managing VSANs	129
How VSANs Work	130
VSANs Versus Zones	132
Default and Isolated VSANs	133
Default VSANs	133
Isolated VSANs	133
VSAN Membership	134
VSAN Attributes	134
Operational State of a VSAN	134
Adding and Configuring VSANs	135
Deleting VSANs	135
Default Settings	136
Configuring Interfaces	137
Configuring Fibre Channel Interfaces	137
About Interface Modes	138
E Port	138
F Port	138
FL Port	139
TL Port	139
TE Port	139
SD Port	139
ST Port	140
Fx Port	140
B Port	140
Auto Mode	140
About Interface States	140
Administrative States	140
Operational States	141
Reason Codes	141
Configuring TL Port ALPA Caches	144
Configuring Buffer-to-Buffer Credits	144
Configuring Performance Buffers	144
Configuring the Beacon Mode	145
Identifying the Beacon LEDs	145
Configuring Switch Port Defaults	146
Default Settings	146
Configuring VSAN Interfaces	146
Configuring Gigabit Ethernet Interfaces	147
Enabling or Disabling Ports	147
Managing Interface Attributes for Ports	147
Configuring Trunking	149
About Trunking	149
About Trunking Protocol	150
Configuring Trunk Modes	150
Configuring Trunk-Allowed VSAN List	150
Trunking Configuration Guidelines	152
Default Settings	153
Configuring PortChannels	155
PortChannel Examples	155
Configuring 32-port Switching Modules and Host-Optimized Ports	156
Managing Physical Attributes for a Port	156
Viewing Port Capability Attributes	157
About PortChanneling and Trunking	157
Managing PortChannel General Attributes	158
Managing PortChannel Interface Attributes	158
Quiescing/Disabling Port Channel Members	158
About Load Balancing	159
Considerations for PortChannel Configurations	160
Error Detection	160
Default Settings	161
Configuring and Managing Zones	163
Zoning Features	164
Zoning Example	165
Configuring a Zone	166
Creating Zones	166
Creating Additional Zones	166
Cloning Zones	167
Adding Zone Members	167
Displaying Port Membership Information	168
Viewing Zone Statistics	168
Deleting Zones and Members	168
Configuring Aliases	168
Creating Zones with Aliases	169
Viewing Aliases	169
Zone Sets	169
Active and Full Zone Set Considerations	170
Distributing Zone Sets	172
Copying Zone Sets	172
Creating Zone Sets	172
Creating Additional Zone Sets	172
Cloning Zone Sets	173
Adding Zones to a Zone Set	173
Activating or Enforcing Zone Sets	173
Deactivating Zone Sets	174
Importing Active Zone Sets	174
Exporting Active Zone Sets	174
Deleting Zone Sets or Members	174
Clearing the Zone Database	175
Recovering a Full Zone Database	175
Performing Zone Merge Analysis	175
Zone Enforcement	176
The Default Zone	176
Setting Default Zone Policy	177
Changing the Default Zone Policy	177
Recovering from Link Isolation	177
LUN Zoning	178
Assigning LUNs to Storage Subsystems	179
Read-Only Zoning	179
Guidelines to Configure Read-Only Zones	179
Default Settings	180
Migrating a Non-MDS Database	180
Using the Zone Wizard	180
Configuring Inter-VSAN Routing	181
About IVR	181
IVR Features	182
IVR Terminology	182
IVR Guidelines	183
Domain ID Guidelines	183
Transit VSANs Guidelines	183
Border Switch Guidelines	183
Configuring IVR	184
Unique Domain ID Configuration Options	184
Enabling IVR	184
Configuring an IVR Topology	184
Creating an IVR Topology	184
Creating IVR Zones and Zone Sets	185
Creating Additional IVR Zones and Zone Sets	185
Activating IVR Zone Sets	186
Deactivating IVR Zone Sets	186
Recovering an IVR Full Zone Database	186
Recovering an IVR Full Topology	187
IVR Interoperability	187
IVR Using LUN Zoning or Read-Only Zoning	187
Creating IVZs and IVZSs	187
Zones versus IVZs	188
Automatic IVZ Creation	188
Configuring and Activating IVZs and IVZSs	189
Using the force Option	189
Clearing the IVZ Database	189
Using the Zone Wizard	190
Managing FLOGI, Name Server, FDMI, and RSCN Databases	191
Displaying FLOGI Details	191
Configuring the Name Server Proxy Feature	192
Displaying Name Server Database Entries	192
Displaying FDMI	192
Displaying RSCN Information	192
Sending RSCNs	193
Viewing General Attributes for the Name Server	193
Viewing Advanced Attributes for the Name Server	193
Proxy Ports for the Name Server	193
Viewing Name Server Statistics	194
Viewing RSCN Nx Registrations	194
Viewing RSCN Statistics	194
Viewing FLOGI Attributes	194
Viewing Port ELP Attributes	195
Viewing Trunk Configuration	195
Configuring Switch Security	197
Switch Management Security	198
SNMP Security	198
CLI Security	198
Switch AAA Functionalities	198
Authentication	199
Authorization	199
Accounting	199
Remote Authentication by AAA Servers	199
Remote Authentication Guidelines	199
Server Groups	200
AAA Service Configuration Options	200
Configuring RADIUS	200
About RADIUS	201
Configuring RADIUS Authentication	201
Configuring RADIUS Servers	201
Setting the RADIUS Server Address	201
Setting the RADIUS Preshared Key	202
Setting Iterations of the RADIUS Server	202
Defining Vendor-Specific Attributes	202
VSA Format	202
Configuring TACACS+	203
About TACACS+	203
Advantages of TACACS+	203
Enabling TACACS+	204
Setting the TACACS+ Server Address	204
Setting the Secret Key	204
Setting the Timeout Value	204
Defining Custom Attributes for Roles	204
Configuring Server Groups	205
Local AAA	205
Authentication and Authorization Process	205
Configuring Role-Based CLI Authorization	207
Configuring Rules and Features for Each Role	207
Configuring the VSAN Policy	208
Recovering Administrator Password	208
Configuring SSH Services	208
Enabling SSH Service	209
Generating an SSH Host Key Pair	209
Using the force Option	209
About SNMP Security	209
SNMP Version 1 and Version 2c	210
Adding a Community String	210
Deleting a Community String	210
SNMP Version 3	210
Adding SNMP Users	211
Deleting SNMP Users	211
Configuring and Creating SNMP User Roles	211
Viewing SNMP Community and User Information	212
Group-Based SNMP Access	212
Configuring Common Roles	212
Creating and Modifying Users	213
Creating Common Roles	214
Editing Common Role Rules (Device Manager Only)	215
Deleting Common Roles	215
Assigning Users to Roles	215
Default Security Settings	216
Restricting Switch Access	217
Configuring Fabric Security	219
About Fabric Authentication	219
About DHCHAP	220
DHCHAP Compatibility with Existing MDS Features	220
Configuring DHCHAP Authentication	221
Enabling DHCHAP	221
Configuring DHCHAP Authentication Modes	221
Configuring the DHCHAP Hash Algorithm	222
Configuring DHCHAP Groups	222
Configuring DHCHAP Passwords	222
Configuring Passwords for Other Devices	223
Configuring the DHCHAP Timeout Value	223
Default Fabric Security Settings	223
Configuring Port Security	225
Port Security Features	225
Enforcing Port Security	225
Configuring a Port Binding	226
Copying an Active Configuration to the Running Configuration	226
Deleting a Port Binding	227
About Auto-Learn	227
Activating Port Security	227
Activating a Port Binding	227
Displaying Activated Port Bindings	228
Configuring Auto-Learning	228
Authorization Scenario	229
Turning Auto-Learning On or Off	230
Manually Configuring Port Security	231
Identifying WWNs to Configure Port Security	231
Securing Authorized Ports	231
Activating the Port Security Database	231
Forcing Port Security Activation	232
Reactivating the Database	232
Database Scenarios	232
Displaying Port Security Statistics	233
Displaying Port Security Violations	233
Default Port Security Settings	233
Configuring Fibre Channel Routing Services and Protocols	235
FSPF Features	236
FSPF Examples	236
Fault Tolerant Fabric	236
Redundant Links	237
Fail-over Scenarios for PortChannels and FSPF Links	237
Configuring FSPF Globally	238
Managing FSPF General Attributes	238
Disabling FSPF Routing Protocols	238
Link State Record Defaults	238
Viewing Link State Records	239
Viewing FSPF Links	239
Configuring FSPF for a Specific Interface	239
Configuring FSPF Interfaces	240
Computing Route Cost	240
Specifying Hello Time Intervals	240
Specifying Dead Intervals	240
Disabling FSPF for Specific Interfaces	240
Retransmitting Intervals	240
Viewing FSPF Interface Statistics	241
Configuring Fibre Channel Routes	241
Configuring Fibre Channel Route Flows	241
Broadcast Routing	242
In-Order Delivery	242
Reordering Network Frames	242
Reordering PortChannel Frames	243
Enabling In-Order Delivery	244
Configuring Flow Statistics	244
Viewing FSPF Statistics	244
Default Settings	244
Configuring IP Services	247
Traffic Management Services	248
Configuring the Ethernet Management Port	248
Configuring the Default Gateway	249
Configuring the Default Network	250
Configuring an IP Route	250
IP Access Control Lists	250
IP-ACL Configuration Guidelines	250
Creating IP-ACLs	251
Adding Entries to an Existing IP-ACL	251
Comparing Ports	251
Applying IP-ACLs	253
Configuring IPFC	254
Configuring Overlay VSANs	254
Configuring Multiple VSANs	255
Managing IPFC Connectivity with Multiple VSANs	256
Configuring VRRP	256
VRRP Features	257
VRRP Functionality	257
Creating or Removing a Virtual Router	258
Enabling a Virtual Router	258
Adding an IP Address for a Virtual Router	258
Viewing IP Address Information	258
Managing IP Addresses for VRRP	259
Setting Priority for the Virtual Router	259
Setting the Time Interval for the Advertisement Packet	259
Preempting the Master Virtual Router	259
Configuring Authentication for the Virtual Router	259
Setting the Priority Based on Interface State	260
Configuring VRRP Operations Attributes	260
Default Settings	260
Enabling or Disabling IP Forwarding	261
Viewing Information and Statistics	261
Viewing VRRP Statistics	261
Viewing TCP Information and Statistics	261
Viewing UDP Information and Statistics	261
Viewing IP Statistics	262
Viewing ICMP Statistics	262
Configuring FICON	263
About FICON	264
MDS-Specific FICON Advantages	265
Fabric-Optimization with VSANs	265
FCIP Support	266
PortChannel Support	267
VSANs for FICON and FCP Intermixing	267
MDS-Supported FICON Features	267
FICON Port Numbering	268
Port Addresses	270
Implemented and Unimplemented Port Addresses	271
Installed and Uninstalled Ports	271
FCIP Port Number	271
Port Numbering Summary	272
FCIP and PortChannel Port Numbers	272
FC ID Allocation	273
FICON Cascading	273
MDS FICON Prerequisites	273
Enabling FICON	274
Effects of Enabling FICON	274
Creating FICON VSANs (enabling FICON) Using Fabric Manager	274
Creating FICON VSANs (enabling FICON) Using Device Manager	275
Deleting FICON VSANs (Disabling FICON)	275
Viewing FICON Director History	276
Configuring Code Page	276
Configuring the FC ID Last Byte	276
Automatically Saving the Running Configuration	276
Binding Port Numbers to PortChannels	277
Binding Port Numbers to FCIP Interfaces	277
Configuring FICON Ports	277
FICON Information Refresh Note	277
Blocking Ports	277
Prohibiting Ports	278
Entering FICON Port Configuration Information	278
Viewing FICON Port Attributes	279
FICON Configuration Files	279
Accessing FICON Configuration Files	280
Editing FICON Configuration Files	280
Creating FICON Files	280
Deleting FICON Files	281

Match case Limit results 1 per page

19-5

Cisco MDS 9000 Fabric Manager Switch Configuration Guide

OL-7753-01

Chapter 19

Configuring Fabric Security

Configuring Passwords for Other Devices

•

Approach 2—Use a different password for each switch and maintain that password list in each

switch in the fabric--when you add a new switch, you create a new password list and update all

switches with the new list. Accessing one switch yields the password list for all switches in that

fabric.

•

Approach 3—Use different passwords for different switches in the fabric--when you add a new

switch, multiple new passwords corresponding to each switch in the fabric must be generated and

configured in each switch. Even if one switch is compromised, the password of other switches are

still protected. This approach requires considerable password maintenance by the user.

We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to

use local password database, you can continue to do so using Approach 3 and using the Cisco MDS 9000

Family Fabric Manager to manage the password database. Refer to the Cisco MDS 9000 Family Fabric

Manager User Guide for further information.

All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted.

Configuring Passwords for Other Devices

You can configure passwords in the local authentication database for other devices in a fabric. The other

devices are identified by their device name, which is also know as the switch WWN or device WWN.

The password is restricted to 64 characters and can be specified in clear text (0) or in encrypted text (7).

The switch WWN identifies the physical switch. This WWN is used to authenticate the switch and is

different from the VSAN node WWN.

Configuring the DHCHAP Timeout Value

During the DHCHAP protocol exchange if the MDS switch does not receive the expected DHCHAP

message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no

authentication is performed) to 1000 seconds. The default is 30 seconds.

When changing the timeout value consider the following factors:

•

The existing RADIUS and TACACS+ timeout values.

•

The same value must also be configured all switches in the fabric.

Default Fabric Security Settings

Table 19-2

lists the default settings for all fabric security features in any switch.

Table 19-2

Default Fabric Security Settings

Parameters

Default

DHCHAP feature

Disabled.

DHCHAP hash algorithm

A priority list of MD-5 followed by SHA-1 for

DHCHAP authentication

DHCHAP authentication mode

auto-passive.